Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot ignore semantic version not working with latest dependabot-updater-maven #10634

Closed
1 task done
phuc98ute opened this issue Sep 19, 2024 · 10 comments
Closed
1 task done

Dependabot ignore semantic version not working with latest dependabot-updater-maven #10634

phuc98ute opened this issue Sep 19, 2024 · 10 comments
Assignees
@amazimbe
Labels
L: java:maven Maven packages via Maven T: bug 🐞 Something isn't working

Comments

@phuc98ute
Copy link

phuc98ute commented Sep 19, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

maven

Package manager version

maven

Language version

Java

Manifest location and content before the Dependabot update

https://github.com/phuc98ute/dependabot-ignore-major/blob/main/pom.xml

dependabot.yml content

Ref here: https://github.com/phuc98ute/dependabot-ignore-major/blob/main/.github/dependabot.yml

Updated dependency

org.mockito:mockito-core from 4.11.0 to 5.0.0

What you expected to see, versus what you actually saw

  • Expect no version update for org.mockito:mockito-core.
  • Actual: The dependabot create PR to upgrade depedency to next major version 5.0.0
    On the github action log, it show that the updater received correct ignore version config at here and here. However, it found a latest version 5.0.0 and decide to upgrade version from 4.11.0 to 5.0.0 here

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

phuc98ute/dependabot-ignore-major#1

Smallest manifest that reproduces the issue

Please ref to public demo repo here: https://github.com/phuc98ute/dependabot-ignore-major
@phuc98ute phuc98ute added the T: bug 🐞 Something isn't working label Sep 19, 2024
@github-actions github-actions bot added L: dart:pub Dart packages via pub L: java:maven Maven packages via Maven L: github:actions GitHub Actions labels Sep 19, 2024
@ralfkonrad
Copy link

Same here:

      - dependency-name: "org.apache.mina:mina-core"
        update-types:
          - "version-update:semver-major"

got ignored.

Also, dependabot create a PR for Bump jakarta.inject:jakarta.inject-api from 2.0.1 to 2.0.1.MR which is actually a step backwards rather than forward.

@nabeelpaytrix
Copy link

We've noticed this too, is there an immediate workaround, e.g. reverting the Dependabot version we are using? Do you have a known working version?

@phuc98ute
Copy link
Author

We've noticed this too, is there an immediate workaround, e.g. reverting the Dependabot version we are using? Do you have a known working version?

@nabeelpaytrix do you know any way to specify version for dependabot-updater-maven on dependabot v2?
I believe we should try with 2 days ago version: v2.0.20240917210021

@pzygielo pzygielo mentioned this issue Sep 19, 2024
Closed
@phuc98ute
Copy link
Author

phuc98ute commented Sep 19, 2024
edited
Loading

@amazimbe sorry for this inconvenience.
I see the latest merged PR is your end Use new implementation of Maven version standard, so I hope you have useful information to address the reported issue.
It has a significant impact on our project with many repos were upgraded to the wrong version.

@amazimbe amazimbe self-assigned this Sep 19, 2024
@jmax01
Copy link

jmax01 commented Sep 19, 2024

Yesterday evening there were 11...

image

@jmax01 jmax01 mentioned this issue Sep 19, 2024
Open
1 task
@amazimbe
Copy link
Contributor

@amazimbe sorry for this inconvenience. I see the latest merged PR is your end Use new implementation of Maven version standard, so I hope you have useful information to address the reported issue. It has a significant impact on our project with many repos were upgraded to the wrong version.

@phuc98ute the issue with the ignore conditions seems to be present even in versions prior to merging the PR you cited. I run an older version of dependabot against phuc98ute/dependabot-ignore-major and got

+---------------------------------------------------------------------------------------+
updater | | Changes to Dependabot Pull Requests |
updater | +---------+-----------------------------------------------------------------------------+
updater | | created | org.springframework.boot:spring-boot-starter-parent ( from 3.3.3 to 3.3.4 ) |
updater | | created | org.mockito:mockito-core ( from 4.11.0 to 5.13.0 ) |
updater | +---------+-----------------------------------------------------------------------------+

@amazimbe
Copy link
Contributor

Also, dependabot create a PR for Bump jakarta.inject:jakarta.inject-api from 2.0.1 to 2.0.1.MR which is actually a step backwards rather than forward.

The issue with the 2.0.1.MR version is expected and was explained on this discussion #10626 . Basically, we decided to follow the maven specification for version identifiers. In this spec, MR is not one of the supported qualifiers for prereleases or development versions.

@jonjanego jonjanego removed L: github:actions GitHub Actions L: dart:pub Dart packages via pub labels Sep 19, 2024
This was referenced Sep 19, 2024
Closed
Closed
This was referenced Sep 20, 2024
Closed
Closed
@marcrohlfs
Copy link

In our project we e.g. use the following ignores:

ignore:
  - dependency-name: 'org.springframework*:*'
    update-types: [ version-update:semver-major ]
  - dependency-name: 'org.mockito:*'
    update-types: [ version-update:semver-minor ]

They are all getting ignored now. Even worse: ignore conditions that were set with @dependabot ignore this major version are also not respected anymore.

This is really awful!

@amazimbe
Copy link
Contributor

Following further investigations, I was able to reproduce this in dependabot versions following the merge of my PR. I have therefore reverted my changes. My sincere apologies for the great inconvenience.

@phuc98ute
Copy link
Author

Thank @amazimbe , the ignore function on maven ecosystem works now

@amazimbe amazimbe mentioned this issue Sep 24, 2024
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amazimbe amazimbe

Labels
L: java:maven Maven packages via Maven T: bug 🐞 Something isn't working
Projects
Dependabot
Archived in project
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jmax01 @jonjanego @amazimbe @marcrohlfs @phuc98ute @ralfkonrad @nabeelpaytrix